You may have seen some fairly alarmist reporting from the ABC about Chinese interests hacking ASIO, Australia’s version of the FBI.
New espionage?
For those who haven’t seen it. The allegations come from the Four Corners program and relate to compromises of sub-contractors of ASIO. ASIO is building a huge new central office and it seems that the Chinese managed to get the blueprints for the building. ASIO is a hard nut for a foreign intelligence agency to attack, so the way to get there is to use their contractors.
The point is that this is not any different from what would have occurred during the cold war! The Chinese or Russians for that matter would have previously used their human intelligence networks. It seems likely that this information would have been a target 50 years ago just as much as now.
What is different then?
The difference is the sheer quantity of attacks that are occurring. We have moved from the Cold War, where the superpowers fought their battles in small third countries such as in South America, Africa or the Middle East to the new paradigm – the cyber insurgency. The wars between the superpowers have moved onshore to the malls and industrial parks of our cities and then they disappear. The authorities and companies are never quite sure who to trust and when / where the insurgent hackers will reappear.
“The guerrilla must swim in the people as the fish swims in the sea.” –Aphorism based on the writing of Mao Zedong
Previously foreign intelligence agencies needed to identify targets and then find resources to compromise them. The new method is to attack anything that might be interesting and suck up whatever comes back. Spies no longer have the difficulty to get the information, they have the challenge to find the needles in the haystack. And they don’t differentiate between business and government. According to reports in the New York Times and a detailed report by Mandiant, any organisation that doesn’t protect its information security, whether private or public is potentially compromised.
How can my organisation protect itself?
Paraphrasing the principles of counter-insurgency as espoused by David Galula and Robert Thompson
– the aim of the war is to gain the support of the population rather than control of territory
– most of the population will be neutral in the conflict.
– support of the population may be lost. The population must be efficiently protected to allow it to cooperate without fear of retribution
– in the guerilla phase of an insurgency, a government must secure its base areas first
Using these principles we can identify a strategic direction
The way to deal with an insurgency is through hearts and minds.
Organisations, whether government agencies or business need to share information with their public and other organisations. Only in this way can they create defence in-depth and help them protect themselves. The attacks on ASIO demonstrate that an organisations’ security is only as good as the weakest link. Importantly, the perimeters of risk in any organisation do not stop at the front door- if they ever did. Organisations suffer from hubris if they believe otherwise. This is why the concepts of deperimeterisation as espoused by the Jericho Foundation and others are so useful.
Organisations need to work out what they need to protect and set about protecting that. Declassification, although counter-intuitive is one way that can help organisations work out what information is valuable.
Organisations need to be adaptable and willing to work with the fact that most information will become available to their adversaries. They need to take advantage of the information in the intervening time.
By making information security central to their organisational decision process, organisations can become more adaptable to this evolving threat. This means moving the security officer from the corner office to the top-level of the organisation. In turn, the security officer needs to change his/her attitude from the ‘computer says no’ person, to the one who says, yes, this is the best way we can do it to make the organisation’s aims with tolerable risk.
Such an organisation is indeed resilient. Change needs to come in the leadership of government and organisations to deal with it. I’m not sure they understand how big this challenge will be.
Information, if you don’t protect it, it just fades away
Recently seen here